Cyber: “The System is Blinking Red Once Again”

The Newsletter

At a recent private D.C. dinner, Homeland Security Secretary Kirstjen Nielsen gathered with academics and cyber experts from the private sector to talk candidly about urgent cyber threats and actions that DHS is taking to address them.

It was an intimate event, hosted by Atlantic Council President Fred Kempe and Dr. Catherine Lotrionte, the Brent Scowcroft scholar at the Atlantic Council, and the driving force behind the annual International Conference on Cyber Engagement (ICCE), one of the few internationally-focused cyber events that puts a premium on how evolving threats intersect and impact everyone.

Huddled at the tables, were some of the country’s cyber elite: former DHS Secretary (and Cipher Brief expert) Michael Chertoff, former Trump Homeland Security Advisor Tom Bossert, former Cybersecurity Coordinator in the Obama Administration Michael Daniel, and leading cyber expert Melissa Hathaway, who served as a senior cyber advisor under two administrations and is currently with Harvard’s Belfer Center. There were dozens more invited guests from the academic and private sectors.

The topics of conversation in that room were telling, and worthy of sharing with a wider audience. Secretary Nielsen spoke about the viral spread of volatile malware and how it has moved past the “epidemic” stage and is now more aptly described as a “pandemic”. She talked about threats that are more numerous, more widely distributed, highly-networked, increasingly adaptive, and incredibly difficult to root out. “We are in a new, pre-9/11 moment,” she told the hushed room. “The system is blinking red once again”.

The Secretary spent about half an hour ticking through a list of talking points that painted a grim picture of the evolving threat and she described a government that must act quickly in response.

“We are witnessing historic shifts in the threat landscape,” she told the guests. “The pace of innovation, our hyper-connectivity, and our digital dependence, have opened cracks in our defenses, creating new opportunities and new vectors through which nefarious actors can strike us.” And the problem isn’t getting better, she added. “I’m sorry to report that it’s going to get worse. Today, more than 30 nation-states have cyber-attack capabilities. Sophisticated digital toolkits are spreading like wildfire to both state and non-state actors.

The fact that Congress, that very week, had passed a bill establishing the Cybersecurity and Infrastructure Security Agency, to be housed within DHS, provided a convenient backdrop for what DHS is doing about the problem.

At the moment, Nielsen told the guests, DHS is implementing what it calls a “collective defense” posture. According to Nielsen, it will allow the government to better crowdsource the protection of systems, better confront systemic risk, and moves DHS away from what she called a singular focus on the protection of specific assets and systems. She also laid out a DHS strategy that operates on a policy of “relentless resilience”, allowing the government to adapt more quickly while under attack.

As The Cipher Brief prepares to launch its own Cyber Initiatives Group in 2019 – in part – to support efforts like Lotrionte’s ICCE, we wanted to give you a sample of the conversation in that room that night, so we asked the following guests for their permission to share the questions they put to the Secretary.

“How do you envision the day-to-day operation with the private sector? What will be different from what DHS has done before? How do you envision it evolving?”

Kirstjen Nielsen,Secretary of Homeland Security

[On the National Risk Management Center] “We’re trying to recognize, that because of our hyper-connectivity, because the way in which we’re all connected, it is, unfortunately, a truism that your risk is our risk, and our risk is your risk. We truly are all connected. First of all, it’s a recognition of that. It’s a recognition that the private sector continues to own much of our critical infrastructure and the central functions that critical infrastructure provides. It’s a recognition that no one entity has the authority, capabilities and capacities to address this.”

James Lewis, Sr. Vice President and Program Director, CSIS

“What would you want from Congress, in terms of new legislation?”

Kirstjen Nielsen, Secretary of Homeland Security

“We do need some additional authority, in my opinion, on how we can hire. We have worked extensively to develop a sister companion to the GSA schedule, so we can recognize cyber talent for what it is. We need better retention, better ways to pay them, better ways to entice them to serve their country.”

“How do you see the challenge of not just securing our technology going forward, but also securing consumer trust in that technology? Especially at a time where we’ve really seen that resilience is the only way forward, where we have to be able to bounce back from challenges and failures. How do you think we might be able to approach that challenge?”

Kirstjen Nielsen, Secretary of Homeland Security

“Awareness with the American people is very important—giving them tools to help themselves, ways to audit the information, giving them ways to spot something that’s suspicious. “If you see something, say something” But we’re trying to translate that—what does that mean in the cyber realm?”

“What are your thoughts going forward in a world where we have such diverse interests, bringing both public and private sector together in a coalition of the willing and what is the role of DHS in that space?”

Kirstjen Nielsen, Secretary of Homeland Security

“The challenge in talking to international allies is the difference culturally that leads to a different approach—for example the European approach to privacy, differences between Five Eyes approaches to encryption, attribution and consequences, etc. Some norms are there—but how do we take it to the next level?”

Jason Healey, Senior Research Scholar, Columbia University

[Referring to the National Cyber Strategy] “What metrics do we have and how do we know if the strategy is succeeding? This new strategy that will use offensive cyber operations to induce friction on the other side and that will lead to stability—is there a role for DHS to see if it is actually working that way or if it is inducing some adversaries to attack more than they would? Is the role for DHS to be a balancer for DoD?”

Kirstjen Nielsen, Secretary of Homeland Security

“I usually talk about resilience in the context of bouncing forward—how do we innovate? How can we ensure that central functions continue to be provided and what are those essential functions from a nationwide perspective? Because we can’t protect everything, we have to prioritize. But that systemic level—those essential functions—we see this in natural disasters every time. When they go down, communities have difficulty recovering. So, my metric is to make sure that we have enough redundancy built in so that we are resilient in the face of attack and can come back online very quickly. DHS’s role may be balancing as you say—but it’s also educating as to what the potential unintentional consequences might be. Based on what we know, what we’ve seen, what do we think they might do in response—and how can we then prepare for that, or does that lead to another conclusion in terms of a cause of action?”

(Ed Note: Education is a massive part of the cyber defense posture according to almost every expert you talk to these days. It’s also why The Cipher Brief has decided to support an alliance of broad-based professionals coming together to support each other’s messages and address the problem from a collective posture, including the support of the ICCE Conference in April 2019. According to Lotrionte, “The goal of developing international security and stability in cyberspace will remain a work in progress and each step will have to be built on what has already been achieved. The ICCE and other similar gatherings of stakeholders are critical to furthering cooperation on an international scale. And yet still today, it remains clear that the global community is still not organized to compete with the cyber threat nor is it keeping pace with developing technology,” says Lotrionte. “Indeed, the investment in partnerships to develop an informed international dialogue between governments, the private sector and civil society on cyber, like the ICCE, is more critical than ever.”)

Find out more about the ICCE Conference here and find out how you can become a part of The Cipher Brief’s Cyber Initiatives Group later this month in TCB.

The warning signs are there, the system is blinking, and that is why I believe we are at a critical point. Today, unlike the status of our intelligence community in 2001, we’re much more integrated and much better at sharing information between agencies. But the evolving cyber threat is illuminating new daily challenges in how we treat information. We are dealing with information silos of a different kind, including between the public and private sector.